diff --git a/components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.sb_fe b/components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.sb_fe index b1d65ee809..bdec94c11b 100644 --- a/components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.sb_fe +++ b/components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.sb_fe @@ -9,6 +9,8 @@ CONFIG_SECURE_BOOT_SIGNING_KEY="test_keys/secure_boot_signing_key.pem" # Flash Encryption CONFIG_SECURE_FLASH_ENC_ENABLED=y CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y +# NVS Encryption +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y # TEE Secure Storage: Release mode CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE=y diff --git a/components/nvs_sec_provider/Kconfig b/components/nvs_sec_provider/Kconfig index d0b973e1f0..cbfdd9e755 100644 --- a/components/nvs_sec_provider/Kconfig +++ b/components/nvs_sec_provider/Kconfig @@ -4,7 +4,8 @@ menu "NVS Security Provider" choice NVS_SEC_KEY_PROTECTION_SCHEME prompt "NVS Encryption: Key Protection Scheme" depends on NVS_ENCRYPTION - default NVS_SEC_KEY_PROTECT_USING_FLASH_ENC + default NVS_SEC_KEY_PROTECT_USING_HMAC if SOC_HMAC_SUPPORTED + default NVS_SEC_KEY_PROTECT_USING_FLASH_ENC if !SOC_HMAC_SUPPORTED help This choice defines the default NVS encryption keys protection scheme; which will be used for the default NVS partition. diff --git a/docs/en/migration-guides/release-6.x/6.0/security.rst b/docs/en/migration-guides/release-6.x/6.0/security.rst index 1f0bdc61a3..630275d6c4 100644 --- a/docs/en/migration-guides/release-6.x/6.0/security.rst +++ b/docs/en/migration-guides/release-6.x/6.0/security.rst @@ -30,3 +30,10 @@ Bootloader Support The following deprecated functions have been removed: - :cpp:func:`esp_secure_boot_verify_signature_block` – Use :cpp:func:`esp_secure_boot_verify_ecdsa_signature_block` instead. + +.. only:: SOC_HMAC_SUPPORTED + + NVS Security Provider + --------------------- + + - When NVS encryption is enabled on SoCs with the HMAC peripheral that have flash encryption enabled, the HMAC-based NVS encryption scheme is now selected as default instead of the flash encryption-based scheme. If your application previously used the flash encryption-based scheme, you need to manually configure the NVS encryption scheme to flash encryption from HMAC through ``menuconfig`` or your project's ``sdkconfig`` (i.e., setting ``CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y``). diff --git a/examples/security/flash_encryption/sdkconfig.ci b/examples/security/flash_encryption/sdkconfig.ci index b7f834c1bf..3d50fd9b25 100644 --- a/examples/security/flash_encryption/sdkconfig.ci +++ b/examples/security/flash_encryption/sdkconfig.ci @@ -10,3 +10,4 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/examples/security/flash_encryption/sdkconfig.ci.psram b/examples/security/flash_encryption/sdkconfig.ci.psram index 6bc2e46df5..d5d6e8c07a 100644 --- a/examples/security/flash_encryption/sdkconfig.ci.psram +++ b/examples/security/flash_encryption/sdkconfig.ci.psram @@ -7,6 +7,7 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y CONFIG_SPIRAM=y CONFIG_SPIRAM_BOOT_INIT=y diff --git a/examples/security/flash_encryption/sdkconfig.ci.rom_impl b/examples/security/flash_encryption/sdkconfig.ci.rom_impl index 321cd5ee1b..9789bbccc0 100644 --- a/examples/security/flash_encryption/sdkconfig.ci.rom_impl +++ b/examples/security/flash_encryption/sdkconfig.ci.rom_impl @@ -7,6 +7,7 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y CONFIG_SPI_FLASH_ROM_IMPL=y CONFIG_COMPILER_OPTIMIZATION_SIZE=y diff --git a/examples/security/security_features_app/sdkconfig.defaults b/examples/security/security_features_app/sdkconfig.defaults index 32987b85f3..8ec11ec6c1 100644 --- a/examples/security/security_features_app/sdkconfig.defaults +++ b/examples/security/security_features_app/sdkconfig.defaults @@ -29,3 +29,4 @@ CONFIG_SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART=y CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP=y CONFIG_SECURE_ROM_DL_MODE_ENABLED=y CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/examples/system/ota/advanced_https_ota/sdkconfig.ci.anti_rollback b/examples/system/ota/advanced_https_ota/sdkconfig.ci.anti_rollback index 82dd6864a5..0114fc14c2 100644 --- a/examples/system/ota/advanced_https_ota/sdkconfig.ci.anti_rollback +++ b/examples/system/ota/advanced_https_ota/sdkconfig.ci.anti_rollback @@ -38,3 +38,4 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y CONFIG_NVS_ENCRYPTION=n # this test combination is only for flash encryption and anti-rollback use-case and hence disabling it. +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi b/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi index bbbb89bbed..3378561bcf 100644 --- a/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi +++ b/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi @@ -16,6 +16,7 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y # This is required for nvs encryption (which is enabled by default with flash encryption) CONFIG_PARTITION_TABLE_OFFSET=0x9000 diff --git a/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi_2 b/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi_2 index 4fb0b551b0..73fc7265dc 100644 --- a/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi_2 +++ b/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi_2 @@ -16,6 +16,7 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y # This is required for nvs encryption (which is enabled by default with flash encryption) CONFIG_PARTITION_TABLE_OFFSET=0x9000 diff --git a/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe b/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe index b46d7a4f58..31ad1c1fa3 100644 --- a/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe +++ b/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe @@ -21,3 +21,4 @@ CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem" CONFIG_SECURE_DISABLE_ROM_DL_MODE=y CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe_2 b/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe_2 index 40d2f72990..164a15925c 100644 --- a/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe_2 +++ b/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe_2 @@ -24,3 +24,4 @@ CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem" CONFIG_SECURE_DISABLE_ROM_DL_MODE=y CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/examples/system/ota/simple_ota_example/sdkconfig.ci.flash_enc_wifi b/examples/system/ota/simple_ota_example/sdkconfig.ci.flash_enc_wifi index d4fba8c002..71026b08d2 100644 --- a/examples/system/ota/simple_ota_example/sdkconfig.ci.flash_enc_wifi +++ b/examples/system/ota/simple_ota_example/sdkconfig.ci.flash_enc_wifi @@ -8,6 +8,7 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y CONFIG_PARTITION_TABLE_OFFSET=0x9000 CONFIG_EXAMPLE_CONNECT_ETHERNET=n CONFIG_EXAMPLE_CONNECT_WIFI=y diff --git a/tools/test_apps/build_system/bootloader/sdkconfig.defaults b/tools/test_apps/build_system/bootloader/sdkconfig.defaults index f3453ccf99..ae8132771d 100644 --- a/tools/test_apps/build_system/bootloader/sdkconfig.defaults +++ b/tools/test_apps/build_system/bootloader/sdkconfig.defaults @@ -15,6 +15,7 @@ CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=n # CONFIG_SECURE_FLASH_ENC_ENABLED=y CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y # # Increase partition table offset diff --git a/tools/test_apps/security/secure_boot/sdkconfig.ci.04 b/tools/test_apps/security/secure_boot/sdkconfig.ci.04 index fcf9c86d36..a0bef5b384 100644 --- a/tools/test_apps/security/secure_boot/sdkconfig.ci.04 +++ b/tools/test_apps/security/secure_boot/sdkconfig.ci.04 @@ -3,3 +3,4 @@ CONFIG_SECURE_BOOT=y CONFIG_SECURE_BOOT_SIGNING_KEY="test_rsa_3072_key.pem" CONFIG_SECURE_FLASH_ENC_ENABLED=y CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/tools/test_apps/storage/partition_table_readonly/sdkconfig.ci.encrypted b/tools/test_apps/storage/partition_table_readonly/sdkconfig.ci.encrypted index 4cfe55cc81..7dc2b5ac51 100644 --- a/tools/test_apps/storage/partition_table_readonly/sdkconfig.ci.encrypted +++ b/tools/test_apps/storage/partition_table_readonly/sdkconfig.ci.encrypted @@ -7,3 +7,4 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release b/tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release index f4365e57ab..122c060cc0 100644 --- a/tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release +++ b/tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release @@ -1,3 +1,4 @@ CONFIG_SECURE_FLASH_ENC_ENABLED=y CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y CONFIG_PARTITION_TABLE_OFFSET=0xC000